Back to Blog
critical SEVERITY9 min read

Critical Buffer Overflow in Windows USB HID: How One Byte Can Compromise Your System

A critical buffer overflow vulnerability was discovered and patched in the Windows USB HID host library, where four unsafe `memcpy` calls copied data using device-reported sizes without validating destination buffer capacity. The most dangerous instance could overflow a heap buffer by as little as one byte — enough to corrupt heap metadata and potentially allow arbitrary code execution. This post breaks down how the vulnerability works, why it matters, and how to write safer memory operations in

O
By Orbis AppSec
•Published May 17, 2026•Reviewed June 3, 2026

Answer Summary

This is a critical buffer overflow vulnerability (CWE-122) in C code within the Windows USB HID host library, caused by four unsafe `memcpy` calls that copied data using device-reported sizes without validating destination buffer capacity. The fix involves adding explicit bounds checking before each `memcpy` operation to ensure the source data size never exceeds the allocated destination buffer size, preventing heap corruption and potential arbitrary code execution.

Vulnerability at a Glance

cweCWE-122
fixAdd explicit size validation before each memcpy to ensure data fits in destination buffer
riskArbitrary code execution via heap metadata corruption
languageC
root causeUnsafe memcpy using device-reported sizes without bounds validation
vulnerabilityHeap-based Buffer Overflow

Critical Buffer Overflow in Windows USB HID: How One Byte Can Compromise Your System

Severity: šŸ”“ Critical | CVE Type: Buffer Overflow (CWE-122) | Fixed In: Windows USB HID Host Library


Introduction

There's a saying in security circles: "It only takes one byte to ruin your day." That saying has never been more literal than in the vulnerability we're discussing today — a heap buffer overflow in the Windows USB HID (Human Interface Device) host library where a single off-by-one error in a memcpy call could corrupt heap metadata and open the door to arbitrary code execution.

This vulnerability was discovered in Win/lib/src/usb_hidhost_impl.cpp and affects code that processes data from USB HID devices — the same category of devices that includes keyboards, mice, gamepads, and countless specialty input devices. Because this code runs with elevated trust and interacts directly with hardware-reported data, the attack surface is significant.

If you're a developer who works with native C/C++ code, hardware interfaces, or low-level Windows APIs, this post is essential reading. Even if you don't, the lessons here apply broadly to any code that copies memory using externally-controlled size values.


The Vulnerability Explained

What Is a Heap Buffer Overflow?

A heap buffer overflow occurs when a program writes data beyond the boundaries of a buffer that was dynamically allocated on the heap. Unlike stack overflows (which famously overwrite return addresses), heap overflows corrupt adjacent heap memory — which often contains allocator metadata, other buffers, or object pointers.

Modern heap allocators like Windows' Low Fragmentation Heap (LFH) store bookkeeping information in structures adjacent to allocated blocks. Overwriting even a single byte of this metadata can cause the allocator to behave incorrectly on the next allocation or deallocation — a condition that skilled attackers can turn into reliable code execution primitives.

The Vulnerable Code

The vulnerability centered on four memcpy calls that used sizes derived from HID device-reported capabilities without first validating that the destination buffer was large enough to hold the data.

The two most critical instances:

Instance 1 — The Off-By-One at Line 318:

// VULNERABLE: vpTempBuf was allocated as `vCaps.FeatureReportByteLength` bytes
// Writing at offset +1 means we can overflow by at least 1 byte
memcpy(&vpTempBuf[1], pBuf, min(BufSize, vCaps.FeatureReportByteLength));

Here's the subtle but devastating problem: vpTempBuf is allocated with vCaps.FeatureReportByteLength bytes. The memcpy writes starting at vpTempBuf[1] — one byte into the buffer — but uses vCaps.FeatureReportByteLength as the maximum copy size. This means the write can extend to vpTempBuf[1 + FeatureReportByteLength - 1], which is one byte past the end of the allocated buffer.

Allocated buffer:  [0][1][2][3]...[N-1]
Write starts at:      [1]
Write ends at:           [2][3]...[N-1][N]  ← ONE BYTE PAST THE END
                                             ↑ HEAP CORRUPTION

Instance 2 — No Guard at All at Line 232:

// VULNERABLE: `len` comes from device-reported data, no bounds check whatsoever
memcpy(destBuf, srcBuf, len);

This instance is arguably worse: len is sourced directly from HID device capabilities (vTempBufSize) with no min() guard against the actual destination buffer size. An attacker controlling a malicious USB HID device could report an arbitrarily large len value and trigger a massive heap overflow.

Why Is This Exploitable?

The key detail that elevates this from a bug to a critical vulnerability is where the size values come from: the HID device itself.

HID devices report their capabilities (including buffer sizes like FeatureReportByteLength) through USB descriptors. A malicious USB device — or a legitimate device with manipulated firmware — can report whatever values it wants. This means:

  1. A rogue USB device plugged into a machine could report a FeatureReportByteLength larger than what the host actually allocates.
  2. The memcpy would then write beyond the buffer boundary.
  3. Heap metadata corruption could lead to a crash, or with careful crafting, to arbitrary code execution.

Real-World Attack Scenario

Imagine a malicious USB device disguised as a standard keyboard or game controller. When plugged in:

  1. The device reports a FeatureReportByteLength of, say, 512 bytes.
  2. The host allocates a buffer based on this value.
  3. The device then sends a feature report that triggers the vulnerable memcpy at line 318.
  4. Because of the +1 offset, the copy overflows by one byte into the adjacent heap chunk's metadata.
  5. On the next heap operation, the corrupted metadata causes a controlled write to an attacker-chosen address.
  6. Code execution is achieved — potentially at the privilege level of the process handling USB input.

This class of attack is known as a "BadUSB" style attack and has been demonstrated in real-world scenarios. Physical access to a USB port is the only prerequisite.


The Fix

What Changed

The fix addressed all four vulnerable memcpy calls in Win/lib/src/usb_hidhost_impl.cpp by implementing proper bounds validation before each copy operation.

The core principle of the fix:

Never trust externally-supplied size values. Always validate that the number of bytes to be copied does not exceed the capacity of the destination buffer — accounting for any offsets applied to the destination pointer.

Fixed Instance 1 — Accounting for the Offset:

// BEFORE (vulnerable):
memcpy(&vpTempBuf[1], pBuf, min(BufSize, vCaps.FeatureReportByteLength));

// AFTER (safe):
// The destination starts at offset 1, so available space is (bufferSize - 1)
size_t availableSpace = vCaps.FeatureReportByteLength - 1;
size_t copySize = min({BufSize, availableSpace, vCaps.FeatureReportByteLength - 1});
memcpy(&vpTempBuf[1], pBuf, copySize);

The critical insight: when your destination pointer is buffer + offset, your available space is bufferSize - offset, not bufferSize. The fix correctly subtracts the offset from the available space calculation.

Fixed Instance 2 — Adding the Missing Guard:

// BEFORE (vulnerable):
memcpy(destBuf, srcBuf, len);

// AFTER (safe):
size_t safeLen = min(len, destBufSize);
memcpy(destBuf, srcBuf, safeLen);

A min() guard ensures that no matter what value a device reports for len, the copy can never exceed the actual allocated buffer size.

The Broader Security Improvement

Beyond the individual fixes, this patch reinforces a critical security boundary: hardware-reported values must be treated as untrusted input. Just as web developers sanitize user input before using it in SQL queries, systems programmers must validate device-reported sizes before using them in memory operations.

This is especially important for USB and HID code because:
- USB devices can be emulated by software (e.g., USB/IP, virtual machines)
- Physical USB devices can have their firmware modified
- The attack requires no network access — just physical proximity


Prevention & Best Practices

1. Never Trust Externally-Sourced Size Values

Any size value that originates from outside your program — user input, network packets, file data, hardware descriptors — must be validated before use in memory operations.

// āŒ Dangerous pattern
memcpy(dest, src, external_size);

// āœ… Safe pattern
if (external_size > dest_capacity) {
    // Handle error: reject, truncate, or log
    return ERROR_BUFFER_OVERFLOW;
}
memcpy(dest, src, external_size);

2. Account for Pointer Arithmetic in Bounds Checks

When writing to buffer + offset, your available capacity is buffer_size - offset, not buffer_size.

// āŒ Dangerous: ignores the offset
memcpy(&buf[offset], src, buf_size);

// āœ… Safe: accounts for the offset
if (offset >= buf_size) return ERROR_INVALID_OFFSET;
size_t available = buf_size - offset;
memcpy(&buf[offset], src, min(src_size, available));

3. Prefer Safe Memory Functions

Modern C and C++ offer safer alternatives to raw memcpy:

// C11: memcpy_s (bounds-checking version)
errno_t result = memcpy_s(dest, destSize, src, count);
if (result != 0) { /* handle error */ }

// C++: std::copy with iterators (compile-time or runtime bounds)
std::copy_n(src, std::min(count, destSize), dest);

// Windows-specific: RtlCopyMemory with explicit size validation

4. Use Static Analysis Tools

Several tools can catch these vulnerabilities automatically:

Tool Type What It Catches
AddressSanitizer (ASan) Dynamic Buffer overflows at runtime
Valgrind Dynamic Memory errors including overflows
PVS-Studio Static Suspicious memcpy patterns
Coverity Static Buffer overflows, tainted data
CodeQL Static Data flow from untrusted sources to memory ops
MSVC /analyze Static SAL annotation violations

5. Use SAL Annotations on Windows

Microsoft's Source Annotation Language (SAL) lets you annotate buffer parameters so the compiler and static analysis tools can verify correct usage:

// Annotate your functions to express buffer size contracts
void ProcessHidReport(
    _Out_writes_bytes_(bufSize) BYTE* buffer,
    _In_ size_t bufSize,
    _In_reads_bytes_(dataLen) const BYTE* data,
    _In_ size_t dataLen
);

6. Apply Defense in Depth

Even with correct bounds checking, consider additional mitigations:

  • Enable Heap Integrity Checking: Windows' heap manager has optional integrity checks that can detect corruption earlier.
  • Use Control Flow Guard (CFG): Helps prevent exploitation of heap corruption for code execution.
  • ASLR + DEP: Ensure these are enabled for all modules to raise the exploitation bar.
  • Fuzz Testing: Use fuzzers like libFuzzer or AFL++ to feed malformed HID descriptors to your parsing code.

7. Security Standards Reference

This vulnerability maps to several well-known security standards:

  • CWE-122: Heap-based Buffer Overflow
  • CWE-131: Incorrect Calculation of Buffer Size
  • CWE-20: Improper Input Validation
  • OWASP: A03:2021 – Injection (untrusted data driving memory operations)
  • CERT C: Rule MEM35-C (Allocate sufficient memory for an object) and ARR38-C (Guarantee that library functions do not form invalid pointers)

Conclusion

This vulnerability is a textbook example of why trusting external data is dangerous — and why the consequences can be severe even when the bug seems small. A single byte of overflow was enough to create a potential path to arbitrary code execution via heap metadata corruption.

The key takeaways from this fix:

  1. Treat hardware-reported values as untrusted input — just like you'd treat user-supplied data in a web application.
  2. Always account for pointer offsets when calculating available buffer space — &buf[1] has bufSize - 1 bytes available, not bufSize.
  3. Add explicit size guards to every memcpy that uses an externally-derived size.
  4. Use static analysis and fuzzing to catch these issues before they reach production.
  5. Prefer safe memory APIs (memcpy_s, bounded iterators) over raw memcpy where possible.

Memory safety bugs in hardware interface code are particularly dangerous because they often run with elevated privileges and interact with devices that can be controlled by attackers. As USB-based attacks become more sophisticated and accessible, hardening the code that processes USB data is not optional — it's essential.

The fix here was relatively straightforward once the vulnerability was identified: validate sizes, account for offsets, and never assume that a device is telling the truth about its capabilities. These are small changes that make an enormous difference in security posture.


This vulnerability was discovered and fixed by the OrbisAI Security automated scanning system. If you're interested in automated security scanning for your codebase, visit orbisappsec.com.


Further Reading:
- MSDN: HID Architecture
- CWE-122: Heap-based Buffer Overflow
- CERT C Coding Standard: MEM35-C
- BadUSB: On Accessories that Turn Evil
- Microsoft SDL: Banned Functions

Frequently Asked Questions

What is a heap-based buffer overflow?

A heap-based buffer overflow occurs when a program writes data beyond the allocated boundaries of a heap buffer, potentially corrupting adjacent memory, heap metadata, or control structures used by the memory allocator.

How do you prevent buffer overflow in C?

Prevent buffer overflows by always validating that source data sizes do not exceed destination buffer capacity before copying, using safer functions like `memcpy_s`, implementing bounds checking, and never trusting external input for size calculations.

What CWE is buffer overflow?

Buffer overflows are classified under CWE-120 (Buffer Copy without Checking Size of Input) and more specifically CWE-122 (Heap-based Buffer Overflow) when the overflow occurs in dynamically allocated memory.

Is using memcpy_s enough to prevent buffer overflow?

While `memcpy_s` provides additional safety by requiring explicit destination size parameters, it's not a complete solution. Developers must still ensure the size parameter accurately reflects the buffer capacity and validate input sizes before the copy operation.

Can static analysis detect buffer overflow?

Yes, static analysis tools can detect many buffer overflow patterns, especially when size parameters come from untrusted sources or when buffer sizes are known at compile time. However, complex runtime-dependent overflows may require dynamic analysis or manual code review.

View the Security Fix

Check out the pull request that fixed this vulnerability

View PR #15

Related Articles

critical

How buffer overflow happens in C tar header parsing and how to fix it

A critical buffer overflow vulnerability was discovered in `microtar/microtar.c` where the `raw_to_header()` and `header_to_raw()` functions used unbounded `strcpy()` and `sprintf()` calls to copy tar header fields. Malicious tar files with non-null-terminated name fields could overflow destination buffers, potentially leading to code execution. The fix replaces all unsafe string operations with bounded alternatives: `memcpy()` with explicit null-termination and `snprintf()` instead of `sprintf(

critical

How buffer overflow happens in C ieee80211_input() and how to fix it

A critical buffer overflow vulnerability was discovered in `src/firmware/src/net/ieee80211.c` at line 1584, where the `ieee80211_input()` function processed raw 802.11 data frames without verifying that the incoming frame was large enough to contain a valid `ieee80211_frame` header. An attacker within wireless range could craft undersized or malformed frames to trigger memory corruption, potentially leading to remote code execution on the firmware. The fix adds a single, targeted bounds check th

high

How buffer overflow from unsafe string copy functions happens in C network interface code and how to fix it

A high-severity buffer overflow vulnerability was discovered in `generic/eth-impl.c`, where unsafe `strncpy()` and `sprintf()` calls could write beyond buffer boundaries when handling network interface names and device filenames. The fix replaced these dangerous functions with bounded `snprintf()` calls that guarantee null-termination and prevent memory corruption.

critical

How buffer overflow in FuzzIxml.c sprintf() happens in C and how to fix it

A critical buffer overflow vulnerability was discovered in `fuzzer/FuzzIxml.c` where `sprintf()` wrote a PID-formatted filename into a fixed 256-byte stack buffer without any bounds checking. The fix replaces `sprintf()` with `snprintf()`, explicitly passing the buffer size to prevent any overflow. While exploitation in this specific fuzzer context requires local access, the pattern is a textbook example of CWE-120 that developers should recognize and eliminate everywhere it appears.

critical

How buffer overflow happens in C HTML parsing and how to fix it

A critical buffer overflow vulnerability in `include/html_parse.h` allowed attackers to overflow buffers by providing malicious HTML input exceeding buffer capacity. The fix adds proper bounds checking before memcpy() operations to prevent memory corruption and potential code execution.

critical

How buffer overflow in memcpy() happens in Node.js N-API bindings and how to fix it

A critical buffer overflow vulnerability was discovered in the GetBufferAsVector() function in examples_nodejs/src/zupt_napi.cpp, where memcpy() copied data from JavaScript Uint8Array buffers without proper bounds validation. This vulnerability could allow attackers to trigger memory corruption by providing maliciously crafted input arrays to the native Node.js module, potentially leading to crashes or arbitrary code execution.